Signing releases with GPG keys #914
Comments
|
From @philips on October 3, 2018 21:56 Also related @ajeddeloh has been working on a YubiKey HSM backed signing server: https://github.com/coreos/fero |
|
From @ajeddeloh on October 3, 2018 22:7 Credit where it's due: @csssuf did the implementation, I just got it set up and deployed. It requires a pair of servers with a yubiHSM loaded with the secrets. If there's interest in using it, I can help with setup. It allows for setting thresholds such that you can specify "You need 100 points of signatures" where different users can have different weights for different secrets. I.e. you can set it up so you need 3 people to sign a release. |
|
From @philips on October 4, 2018 23:7 @dims what is signing the apt package releases? https://kubernetes.io/docs/tasks/tools/install-kubectl/#install-kubectl |
|
The Google Cloud Packages Automatic Signing Key id is Thanks, |
|
/sig release |
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
|
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
|
/remove-lifecycle rotten we have to start doing this stuff this year. |
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
|
/remove-lifecycle stale |
|
/assign @justaugustus |
|
/area release-eng |
|
I have been thinking a lot about this problem over the last few months and would like to propose an alternative starting point to trying to do public key signing. Instead I think we should add cryptographic digests for the files released in Kubernetes. Commonly called SHA256SUMS files they can be easily generated using the common Alternatively, there are some release automation tools that can build these files automatically. Besides being a useful practice for download verification I would also like to use the SHA256SUMS as a way to ensure the releases aren't tampered with and track when they are modified. There is a tool called rget that I have been building that can do this if you provide SHA256SUMS for your releases. The rget tool also has a subcommand to make it easy to create SHA256SUMS for existing releases, just run: I would be happy to discuss this in SIG Release or any other forum to see what people think. But, it is super low risk just adding SHA256SUMS files. I have started a similar discussion in etcd as well: etcd-io/maintainers#16 |
|
(Moving the |
|
We're going to continue investigating this in 1.17. Mentioned there was: GCP-based HSM seems like a good path to consider as we start to stand up the community-based release prod infra. /milestone v1.17 |
|
Bug triage for 1.17 here. This issue has been open for a significant amount of time and since it is tagged for milestone 1.17, we want to let you know that the 1.17 code freeze is coming in less than one month on Nov. 14th. Will this issue be resolved before then? |
|
Migrated to k/release. /sig release |
k8s-ci-robot
added
the
sig/release
k8s-ci-robot
added
area/release-eng
As mentioned in the post in a comment above, a modern alternative to PGP infra is Signify/Minify, used by OpenBSD. |
|
Hi everyone, Out of curiosity, how are k8s release artifacts signed now? Also, an open-source alternative is The Update Framework (TUF) and in-toto, which are other CNCF projects. I'm involved in both, and am happy to discuss how to integrate them with k8s. The Datadog Agent integrations uses both to make sure that attacks anywhere between developers and end-users can be detected. |
|
big +1, @trishankatdatadog. I think at least signing the release tags on the |
k8s-ci-robot
added
the
lifecycle/rotten
|
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
|
@fejta-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/reopen |
|
/remove-lifecycle rotten |
k8s-ci-robot
removed
the
lifecycle/rotten
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-contributor-experience at kubernetes/community. |
k8s-ci-robot
added
the
lifecycle/stale
|
We're probably gonna go sigstore, no? @dlorenc @justaugustus |
Quite possibly! Would love if you and Dan had some time to pop by a RelEng meeting to discuss :) cc: @kubernetes/release-engineering |
justaugustus
removed
the
lifecycle/stale
Happy to join anytime, although Dan and @lukehinds can advise better here :) |
|
I am more than happy to jump on, is the topic marked for discussion on any particular date? |
|
Opened a separate issue to discuss signing artifacts via cosign: #2227 |
This comment has been minimized.
This comment has been minimized.
|
The initial draft of the sining KEP is proposed in kubernetes/enhancements#3061 |
|
Closing in favor of kubernetes/enhancements#3031 and #2227. |
|
@justaugustus: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
From @dims on September 21, 2018 20:58
I'd like us to sign release artifacts using GPG keys. Here's how other foundations do it:
Ideally we would build a web of trust including the patch/branch managers and use keys when building the artifacts at the same time as we generate the md5 and sha1/512 manifests. We could have a signing party at kubecon to kick off the web of trust too!
Thanks,
Dims
Copied from original issue: #636
The text was updated successfully, but these errors were encountered: